Accessing the Apache Airflow UI
After you create an environment, a link to the Apache Airflow UI is added to the Environments table in the Amazon MWAA console. The permissions to access the Apache Airflow UI in your environment are managed by IAM. To use the link to access the Apache Airflow, you must have the necessary permissions. To grant the permissions to a user or role, you must attach a policy similar to the Apache Airflow UI access.
In addition to attaching the necessary permission policy that grants access to the Apache Airflow UI, you must also use tokens in the request to access the UI.
Topics
Web login token
Use the CreateWebLoginToken
API action to create a short-lived token that
allows a user to log into Apache Airflow web UI. The generated token are valid for
only 60
seconds.
The following is an example of a web server access URL that includes a
CreateWebLoginToken
token.
https://<webServerHostName>/aws_mwaa/aws-console-sso?login=true#<webToken>
Request
{ "name": "<Name of the environment>" }
Response
{ "webToken": "<Short-lived token generated for enabling access to the Apache Airflow Webserver UI>", "webServerHostname": "<Hostname for the WebServer of the environment>" }
CLI token
Use the CreateCliToken
API action to create a short-lived token that allows a
user to invoke the Airflow CLI via an endpoint on the Apache Airflow Webserver. The
generated
token is valid for only 60 seconds after creation.
The following example POST request demonstrates how to access the Apache Airflow Webserver using curl:
export WEB_SERVER_HOSTNAME="<webServerHostname>" export CLI_TOKEN="<cliToken>" curl --request POST "https://$WEB_SERVER_HOSTNAME/aws_mwaa/cli" \ --header "Authorization: Bearer $CLI_TOKEN" \ --header "Content-Type: text/plain" \ --data-raw "show_dag my_dag"
The response of a successful POST call contains the following JSON object:
Response
{ "stderr":"<STDERR of the CLI execution (if any), base64 encoded>", "stdout":"<STDOUT of the CLI execution, base64 encoded>" }
The following example demonstrates an additional method to create a CLI token:
# brew install jq aws mwaa create-cli-token --name
MWAAEnvironmentName
| export CLI_TOKEN=$(jq -r .CliToken) && curl --request POST "https://$WEB_SERVER_HOSTNAME
/aws_mwaa/cli" \ --header "Authorization: Bearer $CLI_TOKEN" \ --header "Content-Type: text/plain" \ --data-raw "trigger_dagDAGName
"
Supported Apache Airflow CLI commands
The following Apache Airflow CLI commands
-
dag_state
-
delete_dag
-
list_dag_runs
-
list_dags
-
list_tasks
-
next_execution
-
pause
-
pool
-
render
-
run
-
show_dag
-
task_failed_deps
-
task_state
-
test
-
trigger_dag
-
unpause
-
variables
-
version
Unsupported Apache Airflow CLI commands
The following Apache Airflow CLI commands are not supported when running Apache Airflow in an Amazon MWAA environment.
-
checkdb
-
connections
-
create_user
-
delete_user
-
flower
-
initdb
-
kerberos
-
list_users
-
resetdb
-
rotate_fernet_key
-
scheduler
-
serve_logs
-
shell
-
sync_perm
-
upgradedb
-
webserver
-
worker